0

I am working with Microsoft Entra ID and trying to manage access rights more dynamically within my organization. Currently, I'm facing a scenario where I need to restrict specific Azure Active Directory (AAD) actions for a user who is added to a particular group.

Here is the scenario:

A user initially has access to three AAD actions: A, B, and C. I need to restrict this user's access to actions A and C when they are added to group G, while ensuring they still have access to action B.

Questions:

How can I configure a Conditional Access policy to specifically restrict access to only certain AAD actions? Is there a way to ensure that adding a user to a group with restricted permissions does not affect their access to other permissions not explicitly restricted by the group? Any guidance or examples of similar configurations would be greatly appreciated.

here is a list of AAD actions I would like to be able to block:

  • Update user.
  • Add member to group.
  • Update device.
  • Update group.
  • Change user password.
  • Remove member from group.
  • Update StsRefreshTokenValidFrom Timestamp.
  • Add contact.
  • Delete user.
  • Add registered users to device.
  • Set user manager.
  • Device no longer compliant.
  • Remove member from role.
  • Update service principal.
  • Restore user.
  • Add group.
  • Add user sponsor.
  • Assign label to group.
  • Add registered owner to device.

I understand that Conditional Access policies in Microsoft Entra ID could be used for this purpose, but I am unsure how to configure these policies to specifically block access to actions A and C for members of group G without affecting their access to action B.

Improve this question

1 Answer 1

Reset to default
0

Conditional Access can control access to applications, based on group membership, but doesn't control granular Entra directory permissions.

I'll give you a solution, but your problem is likely more to do with over-permissioning elsewhere. You may wish to consider breaking up the groups which have been given permissions for these actions.

When evaluating permissions, any explicit deny entries will take precedence over allow ones.

https://learn.microsoft.com/en-us/azure/devops/organizations/security/about-permissions?view=azure-devops&tabs=preview-page#permission-inheritance-and-security-groups

The solution is to set deny actions against group G. You can do this with a custom role, which you then assign to Group G. Deny actions take precedence over allow, and so any user in this group will be denied the actions which you specify.

You must be mindful that there is no marriage of permissions between Group G and Group A&C; Any changes to the permissions of Group A and C will not automatically be reflected in G. So it must be updated manually if A or C ever get more new permissions. That is why it is always better to structure your permissions such that only required permissions are allowed, instead of allowing and then denying using groups.

To create a custom role called "Temporary Prison" in the Azure Portal and assign it to "Group G" while denying specific actions, you can follow these steps:

  1. Sign in to the Azure portal.
  2. Go to the Entra Admin Portal, and select "Roles and administrators."
  3. Click on "Add a custom role."
  4. Enter the name "Temporary Prison" for the role.
  5. Under "Permissions," select "Add permissions" and then choose "NotActions."
  6. Add the actions to deny. Here are some examples of the actions you will need. For a comprehesive list, refer to the Microsoft Entra Directory Roles linked below:
    • microsoft.directory/users/create
    • microsoft.directory/users/update
    • microsoft.directory/users/password/update
    • microsoft.directory/devices/update
    • microsoft.directory/conditionalAccessPolicies/create
    • microsoft.directory/conditionalAccessPolicies/update
  7. Under "Assignable scopes" select the scope where "Group G" resides.
  8. Review and create the role.

This will create a custom role named "Temporary Prison" and assign it to "Group G".

Remember to test your role and group assignment thoroughly, and to select all appropriate actions to achieve your goal. There are a lot to choose from, and in some cases simply denying an /update action is not enough, since the user may also be assigned /create, and /delete, for example.

You can find a comprehesive list of all available directory actions here:

https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/permissions-reference

Improve this answer
Sign up to request clarification or add additional context in comments.

4 Comments

Hi :) First of all thank you for your answer my friend, I really appreciate it. I'm having trouble finding how to set 'deny actions' in my portal, can't see how I can deny an action to a group. Is there a way you help me better understand how to do it?
No problem. It's best to use a custom role. I'll update my answer with instructions. But can you confirm that a user in group G should still have some permissions in the directory? As opposed to blocking everything? This will determine the simplest way to define the role permissions.
Thanks! Just to be clear - there are specific actions I want to block from a users by adding them to group G. If they have additional permissions I don't mind they'll still have them but I don't want group G to give them 'extra' roles. Imagine group G as a 'temporary prison' I want to put my users in @ArchitectJamie
@IlayAsayag OK. I've updated my answer. Hopefully this will give you what you need.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.